KQL Search

Query Details

HomeAI ToolsDevice Query

Threat Hunting MDE Network Intrusion Discovery

Query

// Threat Hunting - MDE Network Intrusion Discovery

// Did you know that if your Microsoft Defender for Endpoint (MDE) endpoints have the endpoint firewall enabled, you can use its telemetry data to identify potential rogue hosts in your network? During the WannaCry outbreak, I used to deploy honeypots to detect infected machines via port 445 connectivity, allowing me to trace back to the source of infection.
// With the MDE endpoint firewall enabled, any inbound firewall connection block is logged as ActionType == "FirewallInboundConnectionBlocked" in the DeviceEvents schema. Using this data, you can create a query to summarize the number of TargetDevices and local TargetPorts that blocked each RemoteIP. By sorting the TargetDevices and TargetPorts in descending order, you can identify the top RemoteIPs with the highest number of blocks. These RemoteIPs likely indicate port scanning activity, which warrants further investigation by your SecOps team to determine the function of the host at the RemoteIP.

DeviceEvents
| where Timestamp > ago(30d)
| where ActionType == @"FirewallInboundConnectionBlocked"
| summarize TargetDevice=dcount(DeviceName), TargetPort=dcount(LocalPort) by RemoteIP
| where TargetDevice > 20
| where TargetPort > 10
| sort by TargetDevice, TargetPort desc 

// MITRE ATT&CK MAPPING
// T1049 - System Network Connections Discovery
// T1071 - Application Layer Protocol
// T1133 - External Remote Services

Explanation

This query is designed for threat hunting using Microsoft Defender for Endpoint (MDE) data to identify potential rogue hosts in your network. It focuses on detecting suspicious activity by analyzing firewall logs for blocked inbound connections.

Here's a simplified breakdown of the query:

  1. Data Source: It uses the DeviceEvents table, which contains logs from MDE endpoints.

  2. Time Frame: The query looks at data from the past 30 days.

  3. Filter Criteria: It specifically filters for events where the action type is "FirewallInboundConnectionBlocked," indicating that an inbound connection attempt was blocked by the endpoint firewall.

  4. Summarization: The query summarizes the data by counting the number of unique devices (TargetDevice) and local ports (TargetPort) that blocked connections from each remote IP address (RemoteIP).

  5. Thresholds: It further filters to include only those remote IPs that were blocked by more than 20 devices and on more than 10 different ports. This helps focus on IPs that are more likely to be involved in suspicious activities, such as port scanning.

  6. Sorting: The results are sorted to show the remote IPs with the highest number of blocks first, prioritizing those with the most widespread impact across devices and ports.

  7. Purpose: The goal is to identify remote IPs that may be conducting port scans or other suspicious activities, which should be investigated further by the security operations team.

  8. MITRE ATT&CK Mapping: The query is related to specific tactics and techniques from the MITRE ATT&CK framework, such as discovering system network connections, using application layer protocols, and accessing external remote services.

Overall, this query helps security teams identify and investigate potential network intrusions by highlighting remote IPs that are frequently blocked by endpoint firewalls.

Details

Steven Lim profile picture

Steven Lim

Released: October 3, 2024

Tables

DeviceEvents

Keywords

DeviceEvents

Operators

wheresummarizedcountbysortdescago

Actions